CVE-2026-8037 — Progress Kemp LoadMaster: pre-auth RCE via uninitialized heap in the `/accessv2` API

CVE-2026-8037 (CVSS 9.8) is a pre-authentication RCE in Progress Kemp LoadMaster, an edge load balancer (watchTowr Labs, 2026-06-29 · Trend Micro ZDI, 2026-06-09). The escape_quotes() function in the access executable allocates buffers via uninitialized malloc() without null-terminating escaped strings; a sprayed JSON payload to /accessv2 (four single-quotes expanding to 16 bytes) overwrites heap metadata in adjacent freed chunks, and the subsequent __sprintf_chk() reads out-of-bounds into attacker-controlled data, reaching code execution as root with no authentication. watchTowr published the full mechanics. Affected: GA ≤ 7.2.63.1 and LTSF ≤ 7.2.54.17; fixed in v7.2.63.2 (which switches to calloc() with proper null termination). A second bulletin CVE, CVE-2026-33691, bypasses file-upload extension checks via OWASP CRS whitespace padding. Progress reports no known active exploitation. Hardening: patch to v7.2.63.2 and restrict the management interface to a dedicated admin VLAN; perimeter anomaly detection for unusual character sequences in JSON POSTs to /accessv2.